evolve aws_china_mfa

thiagowfx · thiagowfx · commit 8c0d0cec17e5 · 2025-10-03T23:56:26.000+02:00
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ A potpourri of sweet ingredients
 ## Tools
 
 <!-- keep-sorted start -->
-- **[aws_china_mfa](aws_china_mfa/)** - Authenticate to AWS China using MFA and export temporary session credentials in the current shell
+- **[aws_china_mfa](aws_china_mfa/)** - Authenticate to AWS China using MFA and export temporary session credentials
 - **[op_login_all](op_login_all/)** - Automatically log into all your 1Password accounts
 - **[pritunl_login](pritunl_login/)** - Connect to Pritunl VPN using credentials stored in 1Password
 - **[sd_world](sd_world/)** - Cross-platform full system upgrade script
diff --git a/aws_china_mfa/README.md b/aws_china_mfa/README.md
@@ -1,10 +1,10 @@
 # aws_china_mfa.sh
 
-A script to authenticate to AWS China using MFA and export temporary session credentials in the current shell.
+A script to authenticate to AWS China using MFA and export temporary session credentials.
 
 ## Usage
 
-Source the script (do not execute it directly):
+### Option 1: Source the script
 
 ```bash
 source ./aws_china_mfa.sh
@@ -16,8 +16,30 @@ Or with a custom AWS profile:
 source ./aws_china_mfa.sh my-china-profile
 ```
 
+### Option 2: Execute with eval
+
+```bash
+eval "$(./aws_china_mfa.sh)"
+```
+
+Or with a custom AWS profile:
+
+```bash
+eval "$(./aws_china_mfa.sh my-china-profile)"
+```
+
+### Option 3: Execute and copy/paste export commands
+
+```bash
+./aws_china_mfa.sh
+```
+
+The script will print export commands that you can copy and paste into your shell.
+
 ## Example Output
 
+### Option 1: Source the script
+
 ```
 % source ./aws_china_mfa.sh
 Using AWS profile: china
@@ -28,10 +50,55 @@ Requesting session token...
 ✓ Successfully authenticated to AWS China
 
 Exported AWS credentials:
+
 AWS_ACCESS_KEY_ID=AKIAWHEATLICIOUSPANCAK
 AWS_PROFILE=china
 AWS_SECRET_ACCESS_KEY=wSyrupyDeliciousSecretKeyForBreakfastDelight42
 AWS_SESSION_TOKEN=FwoGZXIvYXdzEBaaDCakesYrUpSWeetToKenArEDelIcIoUs...
 ```
 
-The script will prompt for your MFA token, retrieve temporary session credentials valid for 24 hours, and export them to your current shell session.
+### Option 2: Execute with eval
+
+```
+% eval "$(./aws_china_mfa.sh)"
+Note: Script is being executed. To apply credentials, run:
+  eval "$(./aws_china_mfa.sh china)"
+
+Using AWS profile: china
+Enter the MFA token code for your AWS China account: 123456
+Retrieving MFA device ARN...
+Requesting session token...
+
+✓ Successfully authenticated to AWS China
+
+Copy and paste the export commands above to apply credentials.
+
+  export AWS_PROFILE='china'
+  export AWS_ACCESS_KEY_ID='AKIAWHEATLICIOUSPANCAK'
+  export AWS_SECRET_ACCESS_KEY='wSyrupyDeliciousSecretKeyForBreakfastDelight42'
+  export AWS_SESSION_TOKEN='FwoGZXIvYXdzEBaaDCakesYrUpSWeetToKenArEDelIcIoUs...'
+```
+
+### Option 3: Execute and copy/paste
+
+```
+% ./aws_china_mfa.sh
+Note: Script is being executed. To apply credentials, run:
+  eval "$(./aws_china_mfa.sh china)"
+
+Using AWS profile: china
+Enter the MFA token code for your AWS China account: 123456
+Retrieving MFA device ARN...
+Requesting session token...
+
+✓ Successfully authenticated to AWS China
+
+Copy and paste the export commands above to apply credentials.
+
+  export AWS_PROFILE='china'
+  export AWS_ACCESS_KEY_ID='AKIAWHEATLICIOUSPANCAK'
+  export AWS_SECRET_ACCESS_KEY='wSyrupyDeliciousSecretKeyForBreakfastDelight42'
+  export AWS_SESSION_TOKEN='FwoGZXIvYXdzEBaaDCakesYrUpSWeetToKenArEDelIcIoUs...'
+```
+
+The script prompts for your MFA token, retrieves temporary session credentials valid for 24 hours, and exports them to your current shell session.
diff --git a/aws_china_mfa/aws_china_mfa.sh b/aws_china_mfa/aws_china_mfa.sh
@@ -1,15 +1,24 @@
 #!/bin/bash
 # shellcheck disable=SC2317
-set -euo pipefail
+set -uo pipefail
 
-readonly DEFAULT_AWS_PROFILE="china"
-readonly SESSION_DURATION=86400
+DEFAULT_AWS_PROFILE="${DEFAULT_AWS_PROFILE:-china}"
+SESSION_DURATION="${SESSION_DURATION:-86400}"
+
+# Check if script is being sourced
+(return 0 2>/dev/null) && sourced=1 || sourced=0
+
+# Only set -e when executed, not when sourced (to avoid exiting user's shell)
+if [[ $sourced -eq 0 ]]; then
+    set -e
+fi
 
 usage() {
     cat << EOF
 Usage: source $0 [OPTIONS] [AWS_PROFILE]
+   or: eval "\$($0 [OPTIONS] [AWS_PROFILE])"
 
-Authenticate to AWS China using MFA and export temporary session credentials in the current shell.
+Authenticate to AWS China using MFA and export temporary session credentials.
 
 POSITIONAL ARGUMENTS:
     AWS_PROFILE    AWS profile name (default: $DEFAULT_AWS_PROFILE)
@@ -18,23 +27,27 @@ OPTIONS:
     -h, --help    Show this help message and exit
 
 DESCRIPTION:
-    This script must be sourced (not executed) to export AWS session credentials
-    to your current shell environment. It prompts for an MFA token, retrieves
-    temporary session credentials, and exports them as environment variables.
+    This script can be sourced or executed with eval to set AWS session credentials.
+    It prompts for an MFA token, retrieves temporary session credentials, and
+    exports them as environment variables.
+
+    When sourced: exports variables directly to your current shell
+    When executed: prints export commands to stdout
 
 PREREQUISITES:
     - AWS CLI must be installed and configured
     - 'jq' must be installed for JSON parsing
     - AWS profile must have MFA device configured
 
 EXAMPLES:
-    source $0                  Use default profile ($DEFAULT_AWS_PROFILE)
-    source $0 my-china-profile Use custom profile
-    source $0 --help           Show this help
+    source $0                      Use default profile ($DEFAULT_AWS_PROFILE)
+    source $0 my-china-profile     Use custom profile
+    eval "\$($0)"                  Execute with eval (default profile)
+    eval "\$($0 my-china-profile)" Execute with eval (custom profile)
+    $0 --help                      Show this help
 
 NOTES:
     - Session credentials are valid for $SESSION_DURATION seconds (24 hours)
-    - This script must be sourced to export variables to your shell
     - Exported variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_PROFILE
 
 EXIT CODES:
@@ -43,14 +56,6 @@ EXIT CODES:
 EOF
 }
 
-# Check if script is being sourced
-(return 0 2>/dev/null) && sourced=1 || sourced=0
-
-if [[ $sourced -eq 0 ]]; then
-    echo "Error: Do not invoke this script directly; instead, run 'source $0'"
-    exit 1
-fi
-
 if [[ "${1:-}" == "-h" ]] || [[ "${1:-}" == "--help" ]]; then
     usage
     return 0 2>/dev/null || exit 0
@@ -72,64 +77,102 @@ check_dependencies() {
     done
 
     if [[ ${#missing_deps[@]} -gt 0 ]]; then
-        echo "Error: Missing required dependencies: ${missing_deps[*]}"
+        echo "Error: Missing required dependencies: ${missing_deps[*]}" >&2
         return 1
     fi
 }
 
+set_credentials() {
+    local mode="$1"
+    local profile="$2"
+    local access_key="$3"
+    local secret_key="$4"
+    local session_token="$5"
+
+    if [[ $mode -eq 1 ]]; then
+        # Sourced mode: export directly
+        export AWS_PROFILE="$profile"
+        export AWS_ACCESS_KEY_ID="$access_key"
+        export AWS_SECRET_ACCESS_KEY="$secret_key"
+        export AWS_SESSION_TOKEN="$session_token"
+    else
+        # Execution mode: print export commands
+        echo ""
+        echo -e "  export AWS_PROFILE='$profile'"
+        echo -e "  export AWS_ACCESS_KEY_ID='$access_key'"
+        echo -e "  export AWS_SECRET_ACCESS_KEY='$secret_key'"
+        echo -e "  export AWS_SESSION_TOKEN='$session_token'"
+    fi
+}
+
 main() {
     check_dependencies
 
-    export AWS_PROFILE="${1:-$DEFAULT_AWS_PROFILE}"
-    echo "Using AWS profile: $AWS_PROFILE"
+    local aws_profile="${1:-$DEFAULT_AWS_PROFILE}"
+
+    if [[ $sourced -eq 0 ]]; then
+        echo "Note: Script is being executed. To apply credentials, run:" >&2
+        echo "  eval \"\$($0 $aws_profile)\"" >&2
+        echo "" >&2
+    fi
+
+    echo "Using AWS profile: $aws_profile" >&2
+    echo -n "Enter the MFA token code for your AWS China account: " >&2
 
-    echo -n "Enter the MFA token code for your AWS China account: "
     read -r token
 
     if [[ -z "$token" ]]; then
-        echo "Error: MFA token cannot be empty"
+        echo "Error: MFA token cannot be empty" >&2
         return 1
     fi
 
-    echo "Retrieving MFA device ARN..."
+    echo "Retrieving MFA device ARN..." >&2
+
     local mfa_arn
-    mfa_arn="$(aws iam --profile "$AWS_PROFILE" get-user --output text --query User.Arn | sed 's|:user/|:mfa/|')"
+    mfa_arn="$(aws iam --profile "$aws_profile" get-user --output text --query User.Arn 2>/dev/null | sed 's|:user/|:mfa/|')"
 
     if [[ -z "$mfa_arn" ]]; then
-        echo "Error: Could not retrieve MFA device ARN"
+        echo "Error: Could not retrieve MFA device ARN" >&2
         return 1
     fi
 
-    echo "Requesting session token..."
-    local credentials
-    credentials="$(aws --profile "$AWS_PROFILE" sts get-session-token --serial-number "$mfa_arn" --token-code "$token" --duration-seconds $SESSION_DURATION)"
+    echo "Requesting session token..." >&2
 
-    if [[ -z "$credentials" ]]; then
-        echo "Error: Failed to retrieve session token"
+    local credentials
+    if ! credentials=$(aws --profile "$aws_profile" sts get-session-token --serial-number "$mfa_arn" --token-code "$token" --duration-seconds "$SESSION_DURATION" 2>&1); then
+        echo "" >&2
+        echo "Error: Failed to retrieve session token." >&2
+        echo "$credentials" >&2
         return 1
     fi
 
-    AWS_ACCESS_KEY_ID=$(echo "$credentials" | jq -r '.Credentials.AccessKeyId')
-    AWS_SECRET_ACCESS_KEY=$(echo "$credentials" | jq -r '.Credentials.SecretAccessKey')
-    AWS_SESSION_TOKEN=$(echo "$credentials" | jq -r '.Credentials.SessionToken')
-
-    export AWS_ACCESS_KEY_ID
-    export AWS_SECRET_ACCESS_KEY
-    export AWS_SESSION_TOKEN
+    local access_key secret_key session_token
+    access_key=$(echo "$credentials" | jq -r '.Credentials.AccessKeyId')
+    secret_key=$(echo "$credentials" | jq -r '.Credentials.SecretAccessKey')
+    session_token=$(echo "$credentials" | jq -r '.Credentials.SessionToken')
 
-    if [[ -z "$AWS_SESSION_TOKEN" ]] || [[ "$AWS_SESSION_TOKEN" == "null" ]]; then
-        echo "Error: Failed to extract session token from credentials"
+    if [[ -z "$session_token" ]] || [[ "$session_token" == "null" ]]; then
+        echo "Error: Failed to extract session token from credentials" >&2
         return 1
     fi
 
-    echo ""
-    echo "✓ Successfully authenticated to AWS China"
-    echo ""
-    echo "Exported AWS credentials:"
-    env | grep '^AWS_' | sort
+    set_credentials "$sourced" "$aws_profile" "$access_key" "$secret_key" "$session_token"
+
+    if [[ $sourced -eq 1 ]]; then
+        echo "" >&2
+        echo "✓ Successfully authenticated to AWS China" >&2
+        echo "" >&2
+        echo "Exported AWS credentials:" >&2
+        echo "" >&2
+        env | grep '^AWS_' | sort >&2
+    else
+        echo "" >&2
+        echo "✓ Successfully authenticated to AWS China" >&2
+        echo "" >&2
+        echo "Copy and paste the export commands above to apply credentials." >&2
+    fi
 }
 
 main "$@"
 
-# TODO #1: 1password integration: extract MFA directly from 1Password.
-# TODO #2: make it work with both source and execution
+# TODO: 1password integration: extract MFA directly from 1Password.
